feat: use security contexts and mount configs instead of chown init containers (#223)

* Example to create postgres TLS cert without needing root in k8s

The prior example used apk to add openssl and curl, which needed root.
This makes the certs in an initContainer (alpine/openssl), then sends
to k8s in a separate container (alpine/curl), sharing state through
an emptyDir

* be less verbose with cert creation (avoid leakage to logs)

* chmod secrets in an emptyDir (avoiding need for root to chown to running user)

This relies on the fact that an emptyDir is set up with appropriate
permissions for whichever userid is running in the pod. The prior solution
required running chown/chmod by root in the init container. This obviates
the need for root, which is not permitted in many kubernetes installs
as a security precaution.

Fixes #177 and also fixes #178 (since there is no chown anymore).

* directly mount secrets

* fsGroup

* set defaulMode for secrets to 0440

This makes files user/group readable but not by others. Without
this, mode is set to 0644 (rw for user, r for group and others).

Also removes an unused emptyDir in debug replicaset

---------

Co-authored-by: Elio Bischof <[email protected]>

Author: bpow

charts/zitadel/Chart.yaml

@@ -3,7 +3,7 @@ name: zitadel
 description: A Helm chart for ZITADEL
 type: application
 appVersion: "v2.55.0"
-version: 8.0.0
+version: 8.1.0
 kubeVersion: ">= 1.21.0-0"
 icon: https://zitadel.com/zitadel-logo-dark.svg
 maintainers:

charts/zitadel/templates/_helpers.tpl

@@ -67,28 +67,6 @@ Create the name of the service account to use
 {{- end }}
 {{- end }}
 
-{{/*
-Create copy command or empty string
-*/}}
-{{- define "zitadel.makecpcommand" -}}
-{{- if .value -}}
-{{ printf "cp -r %s /chowned-secrets/" .path }}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Join copy commands
-*/}}
-{{- define "zitadel.joincpcommands" -}}
-{{- $cmd := "" }}
-    {{- range .commands -}}
-        {{- if . -}}
-            {{- $cmd = printf "%s && %s" ( default "yes" . ) $cmd  -}}
-        {{- end -}}
-    {{- end -}}
-{{ print $cmd }}
-{{- end -}}
-
 {{/*
 Returns true if the full path is defined and the value at the end of the path is not empty
 */}}
@@ -107,7 +85,7 @@ Returns true if the full path is defined and the value at the end of the path is
 {{- end -}}
 
 {{/*
-Returns the database config from the secreConfig or else from the configmapConfig
+Returns the database config from the secretConfig or else from the configmapConfig
 */}}
 {{- define "zitadel.dbconfig.json" -}}
     {{- if include "deepCheck" (dict "root" . "path" (splitList "." "Values.zitadel.secretConfig.Database")) -}}

charts/zitadel/templates/debug_replicaset.yaml

@@ -37,7 +37,7 @@ spec:
             {{- toYaml .Values.securityContext | nindent 14 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}-debug"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command: [ "/bin/bash", "-c", 'echo "You can now open a shell within this pod by running the following command:"; echo ""; echo "kubectl --namespace {{ .Release.Namespace }} exec -it ${HOSTNAME} -- bash"; echo ""; echo "Check the directories /config and /.secrets for ZITADEL config files"; echo "also check the ZITADEL_ prefixed environment variables"; echo "For zitadel commands that need the masterkey, pass the flag --masterkeyFromEnv"; echo "this pod completes automatically in a day"; echo "Make sure you set zitadel.debug.enabled to false and upgrade the release when you are done"; echo "Also, delete the debug pods replica set by running the following command:"; echo; echo "kubectl --namespace {{ .Release.Namespace }} delete replicaset {{ include "zitadel.fullname" . }}-debug"; sleep 86400' ]
+          command: [ "/bin/bash", "-c", 'echo "You can now open a shell within this pod by running the following command:"; echo ""; echo "kubectl --namespace {{ .Release.Namespace }} exec -it ${HOSTNAME} -- bash"; echo ""; echo "Check the /config directory and the secret mounts for ZITADEL config files"; echo "also check the ZITADEL_ prefixed environment variables"; echo "For zitadel commands that need the masterkey, pass the flag --masterkeyFromEnv"; echo "this pod completes automatically in a day"; echo "Make sure you set zitadel.debug.enabled to false and upgrade the release when you are done"; echo "Also, delete the debug pods replica set by running the following command:"; echo; echo "kubectl --namespace {{ .Release.Namespace }} delete replicaset {{ include "zitadel.fullname" . }}-debug"; sleep 86400' ]
           env:
             - name: ZITADEL_MASTERKEY
               valueFrom:
@@ -49,60 +49,41 @@ spec:
             {{- $dbEnv := get (include "zitadel.dbkey.json" . | fromJson) "env" }}
             {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }}
             - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_ROOTCERT
-              value: /.secrets/db-ssl-ca-crt/ca.crt
+              value: /db-ssl-ca-crt/ca.crt
             {{- end }}
             {{- if .Values.zitadel.dbSslUserCrtSecret }}
             - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_CERT
-              value: /.secrets/db-ssl-user-crt/tls.crt
+              value: /db-ssl-user-crt/tls.crt
             - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_KEY
-              value: /.secrets/db-ssl-user-crt/tls.key
+              value: /db-ssl-user-crt/tls.key
             {{- end}}
             {{- with .Values.env }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
           volumeMounts:
           - name: zitadel-config-yaml
             mountPath: /config
-          - name: chowned-secrets
-            mountPath: /.secrets
-      {{- if or .Values.zitadel.secretConfig .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret .Values.zitadel.dbSslUserCrtSecret .Values.zitadel.configSecretName }}
-      initContainers:
-        - args:
-          - "{{ include "zitadel.joincpcommands" (dict "commands" (list
-              (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.secretConfig "path" "/zitadel-secrets-yaml/" ))
-              (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.configSecretName "path" "/zitadel-secret-config-yaml/" ))
-              (include "zitadel.makecpcommand" (dict "value" (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) "path" "/db-ssl-ca-crt/" ))
-              (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.dbSslUserCrtSecret "path" "/db-ssl-user-crt/" ))
-              )) }} chown -R 1000:1000 /chowned-secrets/ && find /chowned-secrets/ -type f -exec chmod 400 -- {} + "
-          command:
-          - sh
-          - -c
-          image: "{{ .Values.chownImage.repository }}:{{ .Values.chownImage.tag }}"
-          imagePullPolicy: {{ .Values.chownImage.pullPolicy }}
-          name: chown
-          volumeMounts:
-          - name: chowned-secrets
-            mountPath: /chowned-secrets
+            readOnly: true
           {{- if .Values.zitadel.secretConfig }}
           - name: zitadel-secrets-yaml
             mountPath: /zitadel-secrets-yaml
+            readOnly: true
           {{- end }}
           {{- if .Values.zitadel.configSecretName }}
           - name: zitadel-secret-config-yaml
             mountPath: /zitadel-secret-config-yaml
+            readOnly: true
           {{- end }}
           {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }}
           - name: db-ssl-ca-crt
             mountPath: /db-ssl-ca-crt
+            readOnly: true
           {{- end }}
           {{- if .Values.zitadel.dbSslUserCrtSecret }}
           - name: db-ssl-user-crt
             mountPath: /db-ssl-user-crt
+            readOnly: true
           {{- end }}
-          securityContext:
-            runAsNonRoot: false
-            runAsUser: 0
-      {{- end }}
       volumes:
       - name: zitadel-config-yaml
         configMap:
@@ -111,29 +92,32 @@ spec:
       - name: zitadel-secrets-yaml
         secret:
           secretName: zitadel-secrets-yaml
+          defaultMode: 0440
       {{- end }}
       {{- if .Values.zitadel.configSecretName }}
       - name: zitadel-secret-config-yaml
         secret:
           secretName: {{ .Values.zitadel.configSecretName }}
+          defaultMode: 0440
       {{- end }}
       {{- if .Values.zitadel.dbSslCaCrt }}
       - name: db-ssl-ca-crt
         secret:
           secretName: db-ssl-ca-crt
+          defaultMode: 0440
       {{- end }}
       {{- if .Values.zitadel.dbSslCaCrtSecret }}
       - name: db-ssl-ca-crt
         secret:
           secretName: {{ .Values.zitadel.dbSslCaCrtSecret }}
+          defaultMode: 0440
       {{- end }}
       {{- if .Values.zitadel.dbSslUserCrtSecret }}
       - name: db-ssl-user-crt
         secret:
           secretName: {{ .Values.zitadel.dbSslUserCrtSecret }}
+          defaultMode: 0440
       {{- end }}
-      - name: chowned-secrets
-        emptyDir: {}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -146,4 +130,4 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-    {{- end }}
+    {{- end }}

charts/zitadel/templates/deployment.yaml

@@ -50,11 +50,11 @@ spec:
             - /config/zitadel-config-yaml
             {{- if .Values.zitadel.secretConfig }}
             - --config
-            - /.secrets/zitadel-secrets-yaml/zitadel-secrets-yaml
+            - /zitadel-secrets-yaml/zitadel-secrets-yaml
             {{- end }}
             {{- if and .Values.zitadel.configSecretName .Values.zitadel.configSecretKey }}
             - --config
-            - /.secrets/zitadel-secret-config-yaml/{{ .Values.zitadel.configSecretKey }}
+            - /zitadel-secret-config-yaml/{{ .Values.zitadel.configSecretKey }}
             {{- end }}
             - --masterkeyFromEnv
           env:
@@ -71,19 +71,19 @@ spec:
             {{- $dbEnv := get (include "zitadel.dbkey.json" . | fromJson) "env" }}
             {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }}
             - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_ROOTCERT
-              value: /.secrets/db-ssl-ca-crt/ca.crt
+              value: /db-ssl-ca-crt/ca.crt
             {{- end }}
             {{- if .Values.zitadel.dbSslUserCrtSecret }}
             - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_CERT
-              value: /.secrets/db-ssl-user-crt/tls.crt
+              value: /db-ssl-user-crt/tls.crt
             - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_KEY
-              value: /.secrets/db-ssl-user-crt/tls.key
+              value: /db-ssl-user-crt/tls.key
             {{- end }}
             {{- if .Values.zitadel.serverSslCrtSecret }}
             - name: ZITADEL_TLS_CERTPATH
-              value: /.secrets/server-ssl-crt/tls.crt
+              value: /server-ssl-crt/tls.crt
             - name: ZITADEL_TLS_KEYPATH
-              value: /.secrets/server-ssl-crt/tls.key
+              value: /server-ssl-crt/tls.key
             {{- end }}
             {{- if .Values.zitadel.selfSignedCert.enabled }}
             - name: ZITADEL_TLS_CERTPATH
@@ -154,59 +154,43 @@ spec:
           volumeMounts:
           - name: zitadel-config-yaml
             mountPath: /config
-          - name: chowned-secrets
-            mountPath: /.secrets
-          {{- if .Values.zitadel.selfSignedCert.enabled }}
-          - name: tls
-            mountPath: /etc/tls
-          {{- end }}
-          {{- with .Values.extraVolumeMounts }}
-          {{- toYaml . | nindent 10 }}
-          {{- end }}
-          resources:
-            {{- toYaml .Values.resources | nindent 14 }}
-      initContainers:
-        - args:
-          - "{{ include "zitadel.joincpcommands" (dict "commands" (list
-              (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.secretConfig "path" "/zitadel-secrets-yaml/" ))
-              (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.configSecretName "path" "/zitadel-secret-config-yaml/" ))
-              (include "zitadel.makecpcommand" (dict "value" (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) "path" "/db-ssl-ca-crt/" ))
-              (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.dbSslUserCrtSecret "path" "/db-ssl-user-crt/" ))
-              (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.serverSslCrtSecret "path" "/server-ssl-crt/" ))
-              )) }} chown -R 1000:1000 /chowned-secrets/ && find /chowned-secrets/ -type f -exec chmod 400 -- {} + "
-          command:
-          - sh
-          - -c
-          image: "{{ .Values.chownImage.repository }}:{{ .Values.chownImage.tag }}"
-          imagePullPolicy: {{ .Values.chownImage.pullPolicy }}
-          name: chown
-          volumeMounts:
-          - name: chowned-secrets
-            mountPath: /chowned-secrets
+            readOnly: true
           {{- if .Values.zitadel.secretConfig }}
           - name: zitadel-secrets-yaml
             mountPath: /zitadel-secrets-yaml
+            readOnly: true
           {{- end }}
           {{- if .Values.zitadel.configSecretName }}
           - name: zitadel-secret-config-yaml
             mountPath: /zitadel-secret-config-yaml
+            readOnly: true
           {{- end }}
           {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }}
           - name: db-ssl-ca-crt
             mountPath: /db-ssl-ca-crt
+            readOnly: true
           {{- end }}
           {{- if .Values.zitadel.dbSslUserCrtSecret }}
           - name: db-ssl-user-crt
             mountPath: /db-ssl-user-crt
+            readOnly: true
           {{- end }}
           {{- if .Values.zitadel.serverSslCrtSecret }}
           - name: server-ssl-crt
             mountPath: /server-ssl-crt
+            readOnly: true
           {{- end }}
-          securityContext:
-            runAsNonRoot: false
-            runAsUser: 0
-        {{- if .Values.zitadel.selfSignedCert.enabled }}
+          {{- if .Values.zitadel.selfSignedCert.enabled }}
+          - name: tls
+            mountPath: /etc/tls
+          {{- end }}
+          {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          resources:
+            {{- toYaml .Values.resources | nindent 14 }}
+      {{- if .Values.zitadel.selfSignedCert.enabled }}
+      initContainers:
         - name: generate-self-signed-cert
           image: alpine/openssl
           env:
@@ -226,11 +210,8 @@ spec:
             - "-c"
             - "openssl req -nodes -x509 -sha256 -newkey rsa:4096 -keyout /etc/tls/tls.key -out /etc/tls/tls.crt -days 3560 -subj \"/CN=ZITADEL Chart Demo\" -addext \"subjectAltName = DNS:localhost,DNS:${POD_IP},DNS:${POD_NAME}{{- if .Values.zitadel.configmapConfig.ExternalDomain -}},DNS:{{- .Values.zitadel.configmapConfig.ExternalDomain -}}{{- end -}}{{- if .Values.zitadel.selfSignedCert.additionalDnsName -}},DNS:{{- .Values.zitadel.selfSignedCert.additionalDnsName -}}{{- end -}}\""
           securityContext:
-            readOnlyRootFilesystem: true
-            runAsNonRoot: true
-            privileged: false
-            runAsUser: 1000
-        {{- end }}
+            {{- toYaml .Values.securityContext | nindent 12 }}
+      {{- end }}
       volumes:
       - name: zitadel-config-yaml
         configMap:
@@ -239,34 +220,38 @@ spec:
       - name: zitadel-secrets-yaml
         secret:
           secretName: zitadel-secrets-yaml
+          defaultMode: 0440
       {{- end }}
       {{- if .Values.zitadel.configSecretName }}
       - name: zitadel-secret-config-yaml
         secret:
           secretName: {{ .Values.zitadel.configSecretName }}
+          defaultMode: 0440
       {{- end }}
       {{- if .Values.zitadel.dbSslCaCrt }}
       - name: db-ssl-ca-crt
         secret:
           secretName: db-ssl-ca-crt
+          defaultMode: 0440
       {{- end }}
       {{- if .Values.zitadel.dbSslCaCrtSecret }}
       - name: db-ssl-ca-crt
         secret:
           secretName: {{ .Values.zitadel.dbSslCaCrtSecret }}
+          defaultMode: 0440
       {{- end }}
       {{- if .Values.zitadel.dbSslUserCrtSecret }}
       - name: db-ssl-user-crt
         secret:
           secretName: {{ .Values.zitadel.dbSslUserCrtSecret }}
+          defaultMode: 0440
       {{- end }}
       {{- if .Values.zitadel.serverSslCrtSecret }}
       - name: server-ssl-crt
         secret:
           secretName: {{ .Values.zitadel.serverSslCrtSecret }}
+          defaultMode: 0440
       {{- end }}
-      - name: chowned-secrets
-        emptyDir: {}
       {{- if .Values.zitadel.selfSignedCert.enabled }}
       - name: tls
         emptyDir: {}